Cyberbiosecurity: DNA Injection Attack in Synthetic Biology

TL;DR

This paper reveals a novel cyberbiological attack exploiting weaknesses in DNA screening protocols, enabling malicious DNA to be used in labs without physical contact, and proposes improved security measures for the synthetic DNA supply chain.

Contribution

It introduces an end-to-end cyberbiological attack scenario and proposes an enhanced screening protocol considering in-vivo gene editing vulnerabilities.

Findings

Demonstrates feasibility of DNA obfuscation bypassing screening

Shows attack can induce dangerous substances in labs

Highlights need for improved DNA screening protocols

Abstract

Today arbitrary synthetic DNA can be ordered online and delivered within several days. In order to regulate both intentional and unintentional generation of dangerous substances, most synthetic gene providers screen DNA orders. A weakness in the Screening Framework Guidance for Providers of Synthetic Double-Stranded DNA allows screening protocols based on this guidance to be circumvented using a generic obfuscation procedure inspired by early malware obfuscation techniques. Furthermore, accessibility and automation of the synthetic gene engineering workflow, combined with insufficient cybersecurity controls, allow malware to interfere with biological processes within the victim's lab, closing the loop with the possibility of an exploit written into a DNA molecule presented by Ney et al. in USENIX Security'17. Here we present an end-to-end cyberbiological attack, in which unwitting biologists may be tricked into generating dangerous substances within their labs. Consequently, despite common biosecurity assumptions, the attacker does not need to have physical contact with the generated substance. The most challenging part of the attack, decoding of the obfuscated DNA, is executed within living cells while using primitive biological operations commonly employed by biologists during in-vivo gene editing. This attack scenario underlines the need to harden the synthetic DNA supply chain with protections against cyberbiological threats. To address these threats we propose an improved screening protocol that takes into account in-vivo gene editing.